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DETAILED ACTION 

1 . Applicant amendment received on 1/29/08 have been entered. 

Response to Arguments 

2. Applicants arguments have been carefully considered. 

3. Applicant remarks and amendment addressed the 35 USC § 1 12 rejection that, as a 
result, are withdrawn. 

4. The amendment introduces a new limitation into the originally sole independent 
claim 1,10, 20, 30 and 40 and dependent claims 6-9, 22, 24, 31 , 34, 36-39, 43 and 
46. Claims 2-3, 12-13. 21, 23 and 32-33 have been cancelled. The newly introduced 
limitation has required a new search and consideration of the pending claims. The 
new search has resulted in newly discovered prior art. New grounds of rejection 
based on the newly discovered prior art follow below. 

5. Applicant arguments appear to be directed towards the previously presented 
claimed limitations rather than the amended version. However, for the clarity of the 
record, even though the arguments are moot in view of the new ground(s) of 
rejection, the examiner addresses applicant's allegations. 

6. In regard to 35 USC §101 rejection directed towards claims 1-9, applicant argues 
that the claimed tunnel classification stage is part of a router, which further 
comprises a lookup unit, which in turn comprises a content-addressable memory. 
The examiner points out that the claim language does not limits the network device 
to a router. Although, the elements recited in the claims can be implemented by a 
router comprising memory, they also can represent software that is not patentable. 
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However, including hardware components that, as indicated by applicant, are part of 
the network device, in the claim language would overcome the 35 USC § 101 
rejection. 

Also, note that although some claims, e.g. claim 30, suggests that software is 
"executable on a computer system" (or in other words that software can executed by 
a computer system), this does not alleviate the requirement of the software to be 
stored in hardware (e.g. RAM, disk, etc.) in order to meet the patentability 
requirements. 

As per claims 10-12 and 14-15, applicant amendments addressed the "tangibility" 
issues and, as a result, the rejection cited in the previous Office Action is withdrawn. 

7. On pg. 1 2-1 3 applicant agrees with the Office Action and remarks towards the use of 
conditionals. However, the relevance of these statements is not understood. 

8. As per claim 1-18, 20-28, 30-38, 40-48 and 46-48, applicant argues thatAAPA does 
not include the security group identifier. 

The examiner points out that computers operate on values, whatever the value may 
represent, e.g. a user, a group, a domain, a network, a tunnel etc. In order for these 
values for a computer to offer any meaningful operations, these values must be 
interpreted by a computer according to the intended interpretation. It is 
accomplished by identifying these values by identifiers. In other words, reading a 
value, say 80, would be absolutely useless if there would be no indication what this 
value represent, e.g. is it a port 80, is it a number of ports open, is it a particular 
pointer, is a unique key of a particular database, etc. This is a fundamental 



Application/Control Number: 10/716,656 Page 4 

Art Unit: 2134 

principle in computer science and particularly evident in a case where a condition is 
assigned to the value, e.g. as disclosed by AAPA (the specifications, paragraph 
[002]) restriction based on the Group(s) to which a user belong as disclosed by 
applicant's. Note that if there was no unique security group identifier computer could 
not distinguish between values, and search for a particular condition corresponding 
to a particular group would have not be effective. 

9. Applicant traverses limitations cited as being "well known". However, applicant does 
not explicitly points out the rejection in question and, as a result, it is not clear 
whether applicant disregards or misunderstands the examiner provided rationale 
and/or examples. The examiner reminds applicant that in order to adequately 
traverse well known knowledge, an applicant must specifically point out the 
supposed errors in the examiner's action, which would include stating why the 
noticed fact is not considered to be common knowledge or well-known in the art. 
See 37 CFR 1.111 (b). See also Chevenard, 139 F.2d at 71 3, 60 USPQ at 241 ("[l]n 
the absence of any demand by appellant for the examiner to produce authority for 
his statement, we will not consider this contention."). 

10. Claims 1, 4, 6-11, 14-20, 22, 24-31 and 34-49 have been examined. 

The text of those sections of Title 35, U.S. Code not included in this action can be 
found in a prior Office action. 



Claim Rejections - 35 USC § 101 
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35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of 
matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the 
conditions and requirements of this title. 

11. Claims 1,4, 6-7, 30-31, 34-41, 43-49 remain rejected under 35 U.S.C. 101 because 
the claimed invention is directed to non-statutory subject matter. Computer software 
must be embodied on computer readable media. 

Appropriate correction is required. 



Claim Rejections - 35 USC §112 



12. Claim 8 is rejected under 35 U.S.C. 112, second paragraph, as failing to set forth the 
subject matter which applicant(s) regard as their invention. 
The newly amended limitation in claim 8: "said content-addressable memory is 
coupled to access said access control list..." is not understood. For purpose of the 
further examination the examiner treats the limitation as meaning "content-address 
memory configured to access said access control list". 

Appropriate correction is required. 

Claim Rejections - 35 USC § 102 

(a) the invention was known or used by others in this country, or patented or described in a printed (e) the 
invention was described in (1 ) an application for patent, published under section 1 22(b), by another 
filed in the United States before the invention by the applicant for patent or (2) a patent granted on an 
application for patent by another filed in the United States before the invention by the applicant for 
patent, except that an international application filed under the treaty defined in section 351(a) shall 
have the effects for purposes of this subsection of an application filed in the United States only if the 
international application designated the United States and was published under Article 21(2) of such 
treaty in the English language. 



Application/Control Number: 10/716,656 Page 6 

Art Unit: 2134 

1 3. Claims 1,4, 6-11, 1 4-1 7, 1 9-20, 22. 24-27, 29-31 , 34-37, 39-41 , 43-47 and 49 are 
rejected under 35 U.S.C. 1 02(e) as anticipated by or, in the alternative, under 35 
U.S.C. 103(a) as obvious over Ke (USPUB 2003/0041266). 
As per claims 1,10-11, 20, 22, 30-31 , 40-41 and 43, in paragraph [0040] Ke 
discloses as follows: 

[0040] When a packet comes in, a controller (915) detects the packet. The controller is 
connected to the bus (920) and can communicate with the engines. Also connected to the bus 
(920) is a set of virtual private networks (925-940), that each are connected to a network, 
optionally through one or more switches (315). The exemplary networks shown in FIG. 9 include 
two DMZs (Demilitarized Zones) (965,970), an extranet (975) and a general population net (980). 
Each of the virtual private networks (VPNs), has an associated destination address and policies. 
After the packet has been detected by the controller (915), the controller (915) examines the data 
packet for a virtual private network destination address and identifies the policies that are 
associated with the virtual private network destination. If the policies include firewall policies, the 
controller (915) calls the firewall engine (905), which applies the set of firewall policies 
corresponding to the virtual private network destination to the data packet. If the policies include 
authentication policies, the controller (915) calls the authentication engine (910), which applies 
the set of authentication policies corresponding to the virtual private network destination to the 
data packet. After the respective engine has applied the policies, the data packet is routed to the 
virtual private network corresponding to the data packet's destination address. "[0039] 

The examiner considers a virtual private network destination address to read on a 
security group identifier (SGI). The above teaching clearly discloses that the 
appropriate route (a VPN tunnel) of the pocket is chosen based on the SGI. Thus, 
Ke's disclosure reads on classifying a packet based on a security group identifier, 
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determining said tunnel and forwarding said packet through a tunnel via which said 
packet is to be forwarded. 

Since the above discussed activities are completed by the network device disclosed 
by Ke, the network device inherently must have the elements performing the tasks 
recited in the claim language. Thus packet classifying and processing is carried out 
by an element reading on the packet processing section and an element forwarding 
the packet reads on the packet processing section. Of course the packet caries 
various values, and in order for the classification stage and processing stage to 
happen the SGI must be identified. This task is accomplished by an element 
reading on a security group identifier identification unit. 

Additionally, the examiner points out that the network devices disclosed by Ke and 
implementing the method discussed above, inherently comprise a processor and a 
storage device as well as sets/subsets of instructions executable on the devices. 
Furthermore, Ke discloses firewall policies that are applied to a pocket [0018 and 
0040]. The purpose of firewalls is to screen (permit or disallow forwarding of) 
packets. 

Even if Ke would not disclose that forwarding the packet is subject to permissions 
(e.g. permit forwarding of a packet), the examiner points out that using forwarding 
packets having SGI if it is permitted is old and well known in the art of computer 
security (see Pfleeger, pg. 426-430 for example), and it would have been obvious to 
one of ordinary skill in the art at the time of applicant's invention to include 
forwarding packets having SGI is it is permitted given the benefit of security. 
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14. As per claim 4, Ke explicitly disclose communicating using Internet, and Internet 
TCP/IP packets include network destination address in a header. 

However, even if Ke's invention would not include SGI in the header of the packet, 
the examiner points out that not only such a solution would have been obvious 
variation well known in the art (see TCP/IP protocol, for example) but also this 
obvious variation would not affect the functionality of the invention. 

15. As per claims 6, Ke clearly disclose the network device being a single device routing 
packets. 

16. As per claims 7, a module verifying whether the forwarding the packet is permitted 
reads on a lookup unit. 

17. As per claims 8, 14, 19, 24, 29, 34, 39, 44 and 49, Ke does not explicitly disclose an 
index and an ACL. However, the limitation, if not inherent, is at least implicit. In 
order to determine permissions there must be some kind of data structure that 
allows to compare particular values (e.g. SGI value) against the rules (permissions). 
This data structure is commonly referred to ACL in the art of the computer security. 
Even if, somehow, Ke was able to accomplish verifying the permissions without 
ACL-like data structure, the examiner points out that using ACL in order to determine 
permissions is old and well known in the art of computer security (see Windows 
NT/Unix file permissions, for example), and it would have been obvious to one of 
ordinary skill in the art at the time of applicant's invention to include ACL given the 
benefit of efficiency an ambiguous verification of security settings. 
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18. Furthermore, an ordinary artisan would readily recognize that the process of finding 
permissions associated with a particular value (e.g. SGI) in a data structure (such as 
ACL database/lookup table) involves accessing the structure using the particular 
value. The examiner considers the value (SGI) used in searching the permission to 
read on an index and, as a result, retrieving the SGI from the data packet on 
generating the index. 

19. As per claims 9, 15, 25, 35 and 45, recites that ACL's included "information as to 
whether said packet can be sent via a tunnel" comprise "SGI field and a tunnel 
identifier field". The values representing SGIs in the ACL read on SGI field and 
clearly they are used in the process of determining whether a packet can be sent via 
a tunnel. Additionally, Ke clearly discloses that the policies can vary based on the 
type of the tunnel (e.g. the type of a tunnel: IPSEFC, L2TP, PPTP [0018 and 00 52]), 
which the examiner consider to be an identifier of the tunnel. Thus, it would have 
been obvious to one of ordinary skill in the art at the time of applicant's invention to 
include an identifier of the tunnel in the ACL given the benefit of more 
comprehensive data forwarding determination. 

20. Additionally, the "SGI field" and "a tunnel identifier field" as cited in the claims 9, 15, 
25, 35 and 45 are data that are not functionally related to the process of determining 
packet handling. Thus, as long as one of the fields listed in ACL is found to be used 
in determining whether sending a packet is permitted, the "SGI field" and/or the 
"tunnel identifier field" are descriptive data that does not distinguish the claimed 
invention from the prior art in terms of patentability, see In re Gulack, 703 F.2d 1381, 
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1385, 217 USPQ 401, 404 (Fed. Cir. 1983); In re Lowry, 32 F.3d 1579, 32 USPQ2d 
1031 (Fed. Cir. 1994). Because such data does not functionally relate to the 
process of determining and merely is a label any additional data describing policies 
(e.g. the type of a tunnel or a key field that inherently must be present in the 
searched database and can be any unique value, including a consecutive integer, 
see any database design literature) different from that in the prior art (at least "the 
tunnel identifier field") would have been obvious. See Gulack cited above. 
21. As per claims 16-17, 26-27, 36-37 and 46-47, the examiner considers the device 
discussed above (and disclosed as a object 305 in Fig. 3 and in detail in detail in Fig. 
9) to be an egress router and devices 315 of Fig. 3 to be an ingress routers. (19 
ACL). 

Conclusion 

Allowable Subject Matter: although applicant's argument towards previously 
presented claims 18, 28, 38 and 48 were find non persuasive, the newly amended 
claims 18, 28, 38 and 48 are objected to as being dependent upon a rejected base 
claim, but would overcome the art of record if rewritten in independent from including all 
of the limitations of the base claim and any intervening claims as well as addressing the 
35 USC § 101 issues. 

Applicant's amendment necessitated the new ground(s) of rejection presented in 
this Office action. Accordingly, THIS ACTION IS MADE FINAL. See M PEP 
§ 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 
CFR 1.136(a). 
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A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Peter Poltorak whose telephone number is (571) 272- 
3840. The examiner can normally be reached Monday through Thursday from 9:00 
a.m. to 4:00 p.m. and alternate Fridays from 9:00 a.m. to 3:30 p.m 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kambiz Zand can be reached on (571 ) 272-381 1 . The fax phone number 
for the organization where this application or proceeding is assigned is (571) 273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 
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